SoylentNews is people
SoylentNews
from the data-breaches,-faster-than-the-speed-of-business dept.
Ars Technica reports:
Dozens of UPS stores across 24 states, including California, Georgia, New York, and Nebraska, have been hit by malware designed to suck up credit card details. The UPS Store, Inc., is a subsidiary of UPS, but each store is independently owned and operated as a licensed franchisee.
In an announcement posted Wednesday to its website, UPS said that 51 locations, or around one percent of its 4,470 franchised stores across the country, were found to have been penetrated by a “broad-based malware intrusion.” The company recorded approximately 105,000 transactions at those locations, but does not know the precise number of cardholders affected.
UPS did not say precisely how such data was taken, but given the recent breaches at hundreds of supermarkets nationwide, point-of-sale hacks at Target, and other major retailers, such systems would be a likely attack vector. Earlier this month, a Wisconsin-based security firm also reported that 1.2 billion usernames and passwords had been captured by a Russian criminal group.
(Score: 2) by edIII on Thursday August 21 2014, @07:58PM
They didn't need to do so in order to achieve a high level of security, and that's worse IMO. All that is required is that the card readers are isolated on their own VLAN. That is more or less easily achievable for just about any IT guy out there. Managed switches capable of VLANs (preferable to a card reader managing it) are cheap compared to giving all affected customers complimentary ID theft protection services.
Once it's on its own network you only need some firewall rules...
VLAN_CREADER >> WAN - IP whitelist filter
VLAN_CREADER >> LAN - Blocked
VLAN_CREADER >> LAN - Exception for integration with inventory and POS systems
That's not impossible at all. In fact, it's fairly banal as far as network administration goes. While not foolproof, all outbound traffic is heavily restricted with all outbound traffic being directed towards credit card/corporate servers. Attackers would be forced to compromise those servers (DNS/CDN hijacking) to redirect traffic to drop servers.
This is what I came up with in 5 minutes. It addresses physical access by eliminating communications with drop servers. They need to come back to retrieve the data. Isolating the systems on their own VLAN and so heavily restricting outbound traffic makes attackers compromising the card readers from the outside fairly hard as well.
You also get the added benefit (since Internet is up and running) to centralize all traffic to corporate servers and let them handle all the billing. So many possibilities and use cases beyond security.
So it's not that we don't know how to really step up the level of security, it's that the people making the decision to fund it tend to not be sophisticated enough to understand it. It's an expense that doesn't really provide any ROI and hard to justify to the higher ups.
The McDonald's class action lawsuit possibility opened up by new case precedence with franchise law looks promising. Hold UPS responsible to the data breaches at the mom-and-pop owned franchises. Let's say any corporation with over 10 million per year in profits is required to meet certain data security standards like DSS-PCI. That law *ALONE* would be pretty earth shaking. A lot of bitching, but the increased costs are negligible for large corporations.
I think that's the other end of the equation, and that's how to isolate and lock down equipment in the field. Technically, it's not impossible to implement what I said at a small scale. Just a little more expensive, which UPS corporate should be subsidizing.
Also, I think it's interesting to note that these breaches happen *where* they happen. It's all on "old guard" type equipment without a real network engineer to be seen, let alone somebody approaching it with a security mindset.
I'm betting the mom-and-pop store that had chosen some goofy setup with their iPad and a swipe reader feels pretty good right now about their decision against the multi-thousand dollar per station corporate setups...
The future of franchising like this is to roll up security, payment systems, CRM, inventory, etc. as just another benefit of being a franchise member. It's clear you can't rely on underfunded and unsophisticated stores for security.
Technically, lunchtime is at any moment. It's just a wave function.